The U.S. Supreme Court recently agreed to accept a case on a data privacy issue related to whether or not an employee has a reasonable expectation of privacy for personal messages sent on devices owned by an employer. The legal question revolves around whether or not such personal messages are protected under the Fourth Amendment of the Constitution that prohibits unreasonable searches and seizures. Ostensibly, this is about a narrow situation where a public employee had his pager messages transcribed into text and read by his superior. Practically, it touches a much broader and more important issue of how employee data privacy affects the management of information that organizations, including business, governmental and non-profit entities, need to keep and examine for legitimate purposes, such as compliance with government regulations or discovery related to a court case.
It's easy to understand how a strong stance on behalf of employee data privacy might create significant problems for businesses. As a result, the clarity of the Supreme Court ruling is important so that businesses know what they can and cannot do as related to employee data privacy. Among the issues that will be discussed are the following:
- How collecting personal communications may be an unavoidable byproduct of a normal business process.
- The difficulty of separating business from personal communications.
- How denying an organization the ability to read personal communications captured as part of a normal business process could conceivably expose it to both business and legal risk.
- What might happen if businesses decide to try and collect personal business communications not part of a normal business process.
The case is not only about the use of an employee pager, but it also touches the shared personal/business use of electronic devices at various locations and under different ownership models. Today, the use of electronic devices for both personal and business/enterprise use is common. That can include untethered mobile devices that use wireless communications, such as pagers, cell phones, and personal digital assistants (PDAs), as well as those that may also use network connections, such as laptop, notebook and netbook computers. It can also include tethered devices, such as telephones and desktop PCs. The location where electronic devices are used can vary considerably. Many employees work only at employer-owned sites, but an increasing number of workers are permanently or semi-permanently out of the office due to job requirements, telecommuting or travel.
The "owner" (i.e., the purchaser) of a device may vary, too, as either the employee or the employer may own the device (joint ownership is conceivable but less likely). Since the collaboration that electronic devices enable requires a network of some kind, communications costs may be borne either by the employee or the employer or in some combination. For example, a person who works at home may have a single Internet connection that they pay for fully even though the connection is sometimes used for business purposes. On the other hand, the employer may pay, either directly or via reimbursement to the employee via an expense account, for all of an Internet connection although some of it is used for personal purposes.
The overlap of personal and business use of various devices at different locations and with different ownership patterns may sound very complicated, but it has become commonplace. That said, from the perspective of employee data privacy proliferation, location and ownership are general principles that are likely to apply to virtually all of the different possible combinations related to the Supreme Court case.
As a starting point, I've used some of the principles, ideas and concepts discussed in my recent book Data Protection: Governance, Risk Management, and Compliance, builds upon that foundation and is extended to meet the requirements of this particular situation. Even though data protection and data privacy are more or less synonymous in many areas (including the European Union), more generally, data privacy is really a subset of overall data protection. Before considering data privacy however, we must examine the capture of data. Whenever an electronic device generates data, the question is whether or not it can be captured in non-transient form. For example, landline telephone conversations are typically not captured on recording (i.e., storage) media. That means that it could not be reproduced and would be lost forever. No data privacy violation could occur.
